feat(gitea): Stage 4 — hardened compose with OIDC-ready config + Keycloak CLI auth source
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
post-deploy CLI step; gitea itself doesn't read them.
stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.
stacks/gitea/README.md — full Stage 5 deploy script:
1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
2. docker compose up -d gitea
3. gitea admin user create --admin --random-password
4. gitea admin auth add-oauth --provider openidConnect
--auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"
cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.
.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
znetsixe
@@ -1,8 +1,89 @@
|
||||
# gitea
|
||||
|
||||
Self-hosted git server. **Cloud-only.** (External repos live at `gitea.wbd-rd.nl`; this is for R&D internal use.)
|
||||
Self-hosted git server for R&D. **Cloud-only.** Hostname `git.wbd-rd.nl` (reverse-proxied via nginx-proxy; HTTP internally).
|
||||
|
||||
- **Networks**: `app` (UI) + `data` (postgres backend in `sql` stack)
|
||||
- **Volume**: `gitea-data` (repos + LFS + actions runners)
|
||||
- **SSH ingress**: **disabled** (`DISABLE_SSH=true`). All clones over HTTPS via nginx-proxy. Re-evaluate only if Gitea Actions runners need SSH push semantics.
|
||||
- **TODO**: Keycloak OIDC, Gitea Actions runners, LFS storage policy
|
||||
- **Networks**: `app` (nginx → gitea) + `data` (gitea → postgres)
|
||||
- **Volume**: `gitea-data` (repos, LFS, hooks, actions runners)
|
||||
- **SSH ingress**: disabled (`DISABLE_SSH=true`). All clones over HTTPS.
|
||||
- **Auth**: SSO via Keycloak (`wbd` realm, client `gitea`). Local registration disabled — users come in via OIDC.
|
||||
|
||||
The web installer is skipped (`INSTALL_LOCK=true`); admin user + OIDC source are provisioned with CLI commands post-deploy.
|
||||
|
||||
## Stage 5 — deploy
|
||||
|
||||
Prereqs (Stages 1–3, done by hand in Keycloak):
|
||||
- `sql`, `nginx-proxy`, `keycloak`, `portainer` already up
|
||||
- Keycloak `wbd` realm created
|
||||
- Keycloak client `gitea` created with redirect URI `https://git.wbd-rd.nl/user/oauth2/keycloak/callback`
|
||||
- Client secret captured
|
||||
|
||||
### 1. Fill cloud/.env
|
||||
|
||||
```
|
||||
GITEA_DB_PASSWORD=<from your password manager>
|
||||
GITEA_OAUTH_CLIENT_SECRET=<from Keycloak → Clients → gitea → Credentials>
|
||||
```
|
||||
|
||||
### 2. Bring gitea up
|
||||
|
||||
```bash
|
||||
cd /mnt/d/gitea/RnD/infra/cloud
|
||||
docker compose up -d gitea
|
||||
docker compose logs -f gitea
|
||||
# Wait for: "Listen: http://0.0.0.0:3000"
|
||||
```
|
||||
|
||||
### 3. Create the initial admin user (one-time)
|
||||
|
||||
```bash
|
||||
docker compose exec -u git gitea \
|
||||
gitea admin user create \
|
||||
--admin --username admin \
|
||||
--email admin@wbd-rd.nl \
|
||||
--random-password \
|
||||
--must-change-password=true
|
||||
```
|
||||
|
||||
Note the printed random password; sign in once at `https://git.wbd-rd.nl/`, change it.
|
||||
|
||||
### 4. Add the Keycloak OIDC auth source
|
||||
|
||||
```bash
|
||||
docker compose exec -u git gitea sh -c '
|
||||
gitea admin auth add-oauth \
|
||||
--name keycloak \
|
||||
--provider openidConnect \
|
||||
--key "$GITEA_OAUTH_CLIENT_ID" \
|
||||
--secret "$GITEA_OAUTH_CLIENT_SECRET" \
|
||||
--auto-discover-url "$GITEA_OAUTH_DISCOVERY_URL" \
|
||||
--scopes "openid email profile"
|
||||
'
|
||||
```
|
||||
|
||||
(The env vars are passed through from `cloud/.env` via the gitea container's `environment:` block.)
|
||||
|
||||
### 5. Verify
|
||||
|
||||
Browse `https://git.wbd-rd.nl/` → "Sign in with keycloak" → first OIDC user is auto-created (because `oauth2_client.ENABLE_AUTO_REGISTRATION=true`).
|
||||
|
||||
## Mail
|
||||
|
||||
`GITEA__mailer__ENABLED=false` by default. Flip to `true` (in cloud/.env or here) once the `postfix` stack is up; Gitea then sends notifications via `smtp://postfix:25`.
|
||||
|
||||
## Migrating from Versio Gitea (deferred)
|
||||
|
||||
Plan once the new instance is verified working end-to-end:
|
||||
|
||||
1. `pg_dump` Versio Gitea's database
|
||||
2. Restore to the new `gitea` postgres DB
|
||||
3. `rsync` `/data/gitea/{repositories,lfs,avatars}` from old to new over the WG tunnel
|
||||
4. Restart gitea
|
||||
5. DNS cutover: point `gitea.wbd-rd.nl` at the new cloud IP (or leave both names; `git.wbd-rd.nl` is the canonical going forward)
|
||||
|
||||
## TODO
|
||||
|
||||
- Gitea Actions runners (post-cutover)
|
||||
- Webhook → Jenkins on push (CI trigger)
|
||||
- LFS storage policy + size limits
|
||||
- Mirror policy for external GitHub orgs (read-only mirrors)
|
||||
- Repo / org templates for new R&D projects
|
||||
|
||||
Reference in New Issue
Block a user